EN
Privacy Policy
Introduction
Y4 Works Oy ("Suunta.ai," "we," "us," or "our") operates the Suunta.ai platform, an AI-powered strategic planning service for businesses. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Services.
Suunta.ai is a business-to-business (B2B) service. This Privacy Policy applies to representatives of our business customers and their authorized users.
Data Controller: Y4 Works Oy, Business ID: 2978296-6, Finland, Email: privacy@suunta.ai
1. Information We Collect
1.1 Information You Provide
Account Information
| Data | Required | Purpose |
|---|---|---|
| Email address | Yes | Account login, communications |
| First and last name | No | Personalization |
| Phone number | No | Optional contact |
| Password | Yes* | Authentication |
| Profile picture | No | Personalization |
| Language preference | Yes (default: Finnish) | Localization |
| Timezone | Yes (default: Europe/Helsinki) | Time display |
| Additional profile details | No | Personalization |
SSO users authenticate via Google or Microsoft and do not have a Suunta.ai password.
Organization Information
| Data | Required | Purpose |
|---|---|---|
| Organization name | Yes | Account identification |
| Country | Yes (default: Finland) | Localization, compliance |
| City | No | Localization |
| Industry | No | Service customization |
| Organization size | No | Service customization |
| Website | No | Organization profile |
| Logo | No | Branding |
| Organization profile details | No | Service customization |
Business Data
- Strategy documents and plans
- OKRs (Objectives and Key Results)
- KPIs (Key Performance Indicators) and metrics
- Projects and tasks
- Documents for AI analysis (RAG sources)
- Chat conversations with our AI assistant
- Other business data submitted by you
This business data is processed to provide you with our Services.
1.2 Information Collected Automatically
Technical Data
| Data | Purpose | Retention |
|---|---|---|
| IP address | Security, fraud prevention | Overwritten on new login |
| User agent (browser/device) | Security, session management | Session duration |
| Login timestamps | Security audit | Overwritten |
| Session data | Authentication state | 14-30 days |
| Failed login attempts | Brute-force protection | Reset on successful login |
Usage Data
| Data | Purpose | Retention |
|---|---|---|
| AI feature usage (tokens, model, latency) | Billing, analytics | 365 days |
| Activity logs (actions performed) | Audit trail | 12-36 months |
Important: We do NOT store your AI prompts or AI-generated responses. Only metadata about AI usage (such as token counts and response times) is logged.
1.3 Information from Third Parties
Single Sign-On (SSO) If you sign in via Google or Microsoft, we receive your name, email, and profile picture from the SSO provider.
Payment Information We use Stripe for payment processing. Stripe collects and processes your payment card information directly. We receive only your Stripe Customer ID and subscription status—never your card details.
Integrations If you connect third-party services (Slack, Google Workspace, etc.), we receive data necessary for the integration as configured by you.
2. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Services (account management, AI features, data storage) | Contract performance (Article 6(1)(b)) |
| Processing payments and managing subscriptions | Contract performance |
| Sending transactional emails (OTP codes, notifications) | Contract performance |
| Ensuring security and preventing fraud | Legitimate interest (Article 6(1)(f)) |
| Maintaining audit logs for compliance | Legitimate interest / Legal obligation |
| Improving the Services (aggregate analytics) | Legitimate interest |
| Responding to support requests | Contract performance |
| Complying with legal obligations | Legal obligation (Article 6(1)(c)) |
We do NOT:
- Sell your personal information
- Use your data for advertising
- Share your data with data brokers
- Use your business data to train AI models (without explicit consent)
3. AI Data Processing
3.1 How AI Features Work
- Your prompts and context are sent to our AI providers (Anthropic, OpenAI, Google, Mistral)
- The AI provider processes your request and returns a response
- We display the response to you
- We log only metadata (tokens used, processing time, cost)
3.2 What We Store
| Stored | Not Stored |
|---|---|
| Chat conversation history (for continuity) | Raw AI prompts sent to providers |
| AI usage metadata (tokens, latency, cost) | AI provider responses |
| Document embeddings (for search) | Original document text after indexing |
3.3 AI Provider Data Handling
- OpenAI: store=False flag to disable storage
- Anthropic: Standard API with no training on inputs
- Google Vertex AI: EU region where available
- Mistral: EU-based provider
We do not permit our AI providers to use your data for model training.
3.4 RAG (Document Analysis)
- Text is extracted from your document
- Text is converted to vector embeddings
- Original text is cleared within 24 hours
- Embeddings and text chunks are retained for search functionality
- Deleting a source removes all associated data
4. Information Sharing
4.1 Service Providers (Subprocessors)
| Provider | Purpose | Location |
|---|---|---|
| AWS | Infrastructure hosting | EU (Stockholm) |
| Anthropic | AI processing | USA |
| OpenAI | AI processing | USA |
| AI processing | EU/USA | |
| Mistral | AI processing | EU (France) |
| Stripe | Payment processing | USA/EU |
| Resend | Email delivery | EU |
For the complete list, see our Subprocessor List at https://suunta.ai/legal/subprocessors.
4.2 Customer-Initiated Integrations
- Slack: Messages, notifications as configured
- Google Workspace: Calendar events, spreadsheet data as configured
- Zapier/Make: Webhook payloads as configured
You control which integrations are enabled and what data is shared.
4.3 Legal Requirements
- To comply with applicable law or legal process
- To respond to lawful requests from public authorities
- To protect our rights, privacy, safety, or property
- In connection with a merger, acquisition, or sale of assets
4.4 With Your Consent
We may share information with third parties when you have given explicit consent.
5. International Transfers
5.1 Where We Process Data. Primary processing occurs in the EU (AWS Stockholm, eu-north-1). AI processing may occur in the USA through AI providers.
5.2 Transfer Safeguards. For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary measures including encryption and access controls, and provider certifications (e.g., SOC 2, ISO 27001).
6. Data Retention
6.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Active user accounts | Duration of use |
| Deleted user accounts | Anonymized immediately |
| Organization data | Until organization deletion + 90 days (backups) |
| AI usage metadata | 365 days |
| Audit logs (standard) | 24 months |
| Audit logs (critical) | 36 months |
| Billing records | 6 years (Finnish law) |
| Backups | 30 days |
6.2 Account Deletion
- Your personal information is anonymized
- Your email is replaced with a placeholder
- Your organization memberships are removed
- Your sessions are revoked
- Audit logs are retained for compliance (with anonymized actor ID)
6.3 Organization Deletion
- 30-day grace period (cancellable)
- All organization data is permanently deleted
- User accounts remain but lose organization access
- Immutable compliance audit log entry is created
7. Your Rights
Under GDPR, you have the following rights and can exercise them via Settings or by contacting privacy@suunta.ai:
- Right of access (Article 15): Settings → Export Data
- Right to rectification (Article 16): Settings → Profile
- Right to erasure (Article 17): Settings → Delete Account / Delete Organization
- Right to restriction (Article 18): Email privacy@suunta.ai
- Right to data portability (Article 20): Settings → Export Data
- Right to object (Article 21): Email privacy@suunta.ai
- Right to withdraw consent: Settings → Marketing Preferences
You also have the right to lodge a complaint with a supervisory authority. In Finland, this is:
Office of the Data Protection Ombudsman
Lintulahdenkuja 4, 00530 Helsinki
tietosuoja@om.fi
+358 29 566 6700
8. Cookies and Similar Technologies
8.1 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| session | Essential | Authentication | 14-30 days |
8.2 What We Don't Use
- Google Analytics
- Facebook Pixel
- Marketing cookies
- Third-party tracking cookies
8.3 Local Storage
| Key | Purpose |
|---|---|
| sidebarCollapsed | UI preference |
| theme | Display theme |
| userTimezone | Time display |
8.4 Third-Party Scripts
- Stripe (js.stripe.com): Payment processing
- Google Fonts: Typography
- Font Awesome: Icons
These services may set their own cookies. See their respective privacy policies.
9. Security
9.1 Technical Measures
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Password security: PBKDF2-SHA256 hashing
- Session security: HttpOnly, Secure, SameSite cookies
- Access control: Role-based, organization-isolated
9.2 Organizational Measures
- Confidentiality obligations for personnel
- Security awareness training
- Incident response procedures
- Regular security assessments
9.3 Your Responsibilities
- Keep your password secure
- Use a strong, unique password
- Report suspicious activity immediately
- Log out on shared devices
10. Children's Privacy
Suunta.ai is a B2B service intended for business professionals. The Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email notification at least 30 days before changes take effect and prominent notice on our website. Continued use of the Services after changes constitutes acceptance.
12. Contact Us
For privacy-related questions or to exercise your rights: Y4 Works Oy (Suunta.ai), Email: privacy@suunta.ai. For general inquiries: team@suunta.ai.
13. Additional Information for EEA Users
13.1 Legal Basis Summary
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract |
| Service delivery | Contract |
| Payment processing | Contract |
| Transactional emails | Contract |
| Security measures | Legitimate interest |
| Audit logging | Legitimate interest / Legal obligation |
| Marketing (if opted in) | Consent |
13.2 Data Protection Officer
As a small business, we have not appointed a formal DPO. For data protection inquiries, contact: privacy@suunta.ai.
13.3 Automated Decision-Making
We do not make automated decisions that produce legal effects or similarly significantly affect you. AI features provide recommendations and analysis, but final decisions are made by you.